As applications and digital services have become core to most company operations, the ability to assure performance and functionality has become critical to ensuring the continuity of the business itself. Consequently, a single outage event can bring down an organisation’s entire IT operations – putting brand reputation and customer loyalty on the line.
Having come into effect earlier this month, the Digital Operational Resilience Act (DORA), is an EU regulation that has now established a mandatory Information and Communication Technology (ICT) risk management framework for the EU financial sector. One of the goals of DORA is to enhance the IT security of financial organisations to help them remain resilient during significant operational disruptions. As such, DORA holds financial institutions responsible for the resilience of the services they provide, including the associated ICT components, dependencies, and suppliers.
Building on existing guidelines, DORA’s extension to include third-party ICT service providers is a regulatory recognition, if you will, that the entire digital supply chain matters when it comes to assuring the delivery of services and achieving digital resilience – no matter if one owns the network or not.
Assuring the resilience of ICT dependencies through DORA
Like any modern digital service, the delivery of financial transactions depends on a complex web of owned and third-party infrastructures, including external cloud platforms and SaaS applications (in the case of suppliers and suppliers’ suppliers, these interdependencies can even be hidden.) To achieve full digital resilience, many of DORA’s requirements relate to monitoring, testing, identifying, documenting, and reporting ICT issues, with a view towards mitigation, continuity, recovery, and improvement.
One of the requirements is to strengthen third-party risk management by maintaining a resilient ICT framework with monitoring and documentation in place to quickly identify and isolate anomalies. This involves documenting and generating reports on significant ICT-related incidents.
Another requirement is that regular testing of ICT tools and systems will be mandated to identify and mitigate any weaknesses or gaps. This approach seeks to help financial institutions address potential vulnerabilities before they can cause significant disruptions. DORA also encourages financial institutions to exchange information, particularly regarding cybersecurity threats and intelligence.
Meeting these requirements to pursue remediation and to take responsibility for the resilience of all ICT-related components, dependencies, and suppliers means that financial services firms will need ways to quickly pinpoint where issues are happening and identify the root cause. This means that financial services firms will need to have visibility over third-party portions of their service delivery operations, including the ability to map these dependencies vis-à-vis ICT service providers.
Digital resilience for financial institutions and beyond
For banks and other financial services firms that lack visibility and clarity over their end-to-end transactional environment, it could be challenging to achieve the goals and requirements of DORA. But this is a challenge that goes beyond financial institutions.
Not just financial transactions but all digital experiences today are powered by a digital supply chain spanning owned and unowned networks. From the application to the user — be it videoconferencing, online shopping, or a manufacturing plant – the delivery of the digital experience is dependent on the performance of environments that sit outside of company control, including the cloud and the internet itself.
DORA may be the equivalent regulatory recognition of today’s new digital reality but for businesses in all sectors, digital modernisation is no longer a differentiator—it’s table stakes. In 2025, the new gold standard for the digital business will be its ability to stay resilient in the face of outages and attacks, and to ensure that, in the face of a disruption, the applications and online services their users depend on will always stay on.
Mike Hicks is a principal solutions analyst at Cisco ThousandEyes
Read more: The road to agentic AI is paved with cyber risks
